CN116055475A - Detection method and device for bypass monitoring HTTPS - Google Patents

Detection method and device for bypass monitoring HTTPS Download PDF

Info

Publication number
CN116055475A
CN116055475A CN202310113327.9A CN202310113327A CN116055475A CN 116055475 A CN116055475 A CN 116055475A CN 202310113327 A CN202310113327 A CN 202310113327A CN 116055475 A CN116055475 A CN 116055475A
Authority
CN
China
Prior art keywords
data
ssl
flow
traffic
http
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310113327.9A
Other languages
Chinese (zh)
Inventor
曾立宁
史银华
江雪峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hillstone Networks Co Ltd
Original Assignee
Hillstone Networks Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hillstone Networks Co Ltd filed Critical Hillstone Networks Co Ltd
Priority to CN202310113327.9A priority Critical patent/CN116055475A/en
Publication of CN116055475A publication Critical patent/CN116055475A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The application provides a detection method and a detection device for bypass monitoring HTTPS, wherein the method comprises the steps of determining whether the traffic type of mirror image traffic sent by a data plane is HTTPS traffic; when the flow type of the mirror image flow sent by the data plane is determined to be HTTPS flow, resolving the flow data message of the mirror image flow through an SSL resolver to obtain an HTTP plaintext corresponding to the flow data message; and carrying out safety detection on the HTTPS traffic through the HTTP plaintext. The method can achieve the effect of accurately detecting the flow of the hypertext transfer security protocol.

Description

Detection method and device for bypass monitoring HTTPS
Technical Field
The application relates to the field of bypass monitoring HTTPS security, in particular to a detection method and device for bypass monitoring HTTPS.
Background
At present, when a simulation client and a server are used, an original message is usually sent to a detection server for analysis, and random numbers in messages returned to the simulation client and the simulation server by the detection server are necessarily different from the original message.
Therefore, the detection server cannot be successfully and safely docked with the simulation client and the simulation server, and cannot support the flow detection of the hypertext transfer security protocol.
Therefore, how to accurately detect the traffic of the hypertext transfer security protocol is a technical problem to be solved.
Disclosure of Invention
An object of the embodiments of the present application is to provide a method for detecting HTTPS by-pass monitoring, by which an accurate effect of detecting traffic of a hypertext transfer security protocol can be achieved.
In a first aspect, an embodiment of the present application provides a method for detecting HTTPS by-pass monitoring, including determining whether a traffic type of a mirror traffic sent by a data plane is HTTPS traffic; when the flow type of the mirror image flow sent by the data plane is determined to be HTTPS flow, resolving the flow data message of the mirror image flow through an SSL resolver to obtain an HTTP plaintext corresponding to the flow data message; and carrying out safety detection on the HTTPS traffic through the HTTP plaintext.
In the embodiment, the HTTPS flow in the uploaded mirror flow is analyzed by the SSL analyzer to obtain the HTTP plaintext, so that the security detection of the HTTPS flow can be indirectly realized through the security detection of the HTTP plaintext, and the effect of accurately detecting the flow of the hypertext transfer security protocol can be achieved through the method.
In some embodiments, resolving, by an SSL parser, a traffic data packet of a mirror traffic to obtain an HTTP plaintext corresponding to the traffic data packet, including:
and resolving the SSL handshake message through an SSL resolver to obtain SSL decryptor generated data, wherein the SSL decryptor generated data comprises: at least one of tag data, algorithm data, encrypted data, protocol version data, client random number, server random number, premaster secret key, session data, and certificate data;
generating data by an SSL decryptor to generate the SSL decryptor;
and decrypting the flow data message through the SSL decryptor to obtain the HTTP plaintext.
In the embodiment, the SSL decryptor generates data by analyzing the flow data message by the SSL analyzer, so as to generate the SSL decryptor, thereby completing decryption of the flow data message and obtaining an accurate HTTP plaintext.
In some embodiments, decrypting the traffic data message by the SSL decryptor, resulting in HTTP plaintext, includes:
filling the flow data message into a record board to obtain a data message record board;
and decrypting the data in the data message record board by calling an upper interface of the SSL decryptor to obtain the HTTP plaintext.
In the above embodiment, the data in the traffic data packet is recorded in the format on the recording board, and the traffic data packet can be accurately decrypted by the SSL decryptor in the manner of interface call.
In some embodiments, resolving, by the SSL parser, a traffic data packet of traffic data to obtain an HTTP plaintext corresponding to the traffic data packet, including:
transmitting a flow data message to a preset QAT accelerator card, wherein the QAT accelerator card is used for decrypting the flow data message;
and receiving the HTTP plaintext sent by the QAT accelerator card.
In the embodiment, the decryption of the streaming data message can be realized by calling the preset hardware equipment, so that the consumption of resources on software is reduced, and the decryption efficiency is improved.
In some embodiments, resolving, by an SSL parser, a traffic data packet of a mirror traffic to obtain an HTTP plaintext corresponding to the traffic data packet, including:
when the current scene is determined to be a session multiplexing scene, detecting whether an SSL session exists in a cache;
when the SSL session exists in the cache, generating an SSL decryptor through a master key and a key set stored in the cache in a history mode;
And resolving the flow data message through the SSL decryptor to obtain the HTTP plaintext.
In the embodiment, when the data of the SSL session exists, it can be determined that the current session is one or more of the history sessions, and the SSL decryptor can be directly generated according to the data stored in the cache to decrypt the traffic data message, so that the time for generating the SSL decryptor is reduced, and the efficiency of security detection of the traffic data message is further improved.
In some embodiments, after the security detection of HTTPs traffic by HTTP plaintext, further comprising:
when a new encrypted SSL handshake message sent by a client is received, resolving the new flow data message through an SSL resolver again to obtain new SSL decryptor generated data;
generating data by the new SSL decryptor to generate another SSL decryptor;
and decrypting the new flow data message through another SSL decryptor to obtain another HTTP plaintext.
In the above embodiment, when a new traffic data packet sent by a client is acquired, the new traffic data packet may be parsed again, and a new SSL decryptor is generated by the obtained generated data, so that accurate decryption of the new traffic data packet may be implemented.
In some embodiments, resolving, by the SSL parser, a traffic data packet of traffic data to obtain an HTTP plaintext corresponding to the traffic data packet, including:
analyzing a premaster secret key of the flow data message through a preset certificate and a private key to obtain a master secret key of the flow data message;
and analyzing the stream data message through the master key to obtain the HTTP plaintext.
In the embodiment, the master key obtained by analyzing the premaster secret key through the preset certificate and the private key can quickly realize decryption of the streaming data message.
In some embodiments, security detection of HTTPs traffic by HTTP plaintext includes:
analyzing the HTTP clear text through an HTTP analyzer to obtain request data of the simulation client and response data of the simulation server;
security detection is performed on the request data and the response data.
In the embodiment, the request data and the response data obtained through the analysis of the HTTP analyzer can be safely detected through the detection server, so that the safety detection of the HTTPS flow is realized.
In some embodiments, after determining whether the traffic type of the mirrored traffic sent by the data plane is HTTPS traffic, further comprising:
When the flow type of the mirror image flow sent by the data plane is determined to be HTTP flow, resolving the mirror image flow through an HTTP resolver to obtain second request data of the simulation client and second response data of the simulation server;
and sending the second request data and the second response data to a detection server, wherein the detection server is used for carrying out security detection on the second request data and the second response data.
In the above embodiment, when it is detected that the data sent by the data plane is HTTP traffic, the data may be directly parsed by the HTTP parser, and then the security detection is accurately performed on the parsed request and response by the detection server.
In a second aspect, an embodiment of the present application provides a detection apparatus for bypass monitoring HTTPS, including:
the determining module is used for determining whether the traffic type of the mirror image traffic sent by the data plane is HTTPS traffic;
the analysis module is used for analyzing the flow data message of the mirror image flow through the SSL analyzer when the flow type of the mirror image flow sent by the data plane is HTTPS flow, and obtaining an HTTP plaintext corresponding to the flow data message;
and the detection module is used for carrying out safety detection on the HTTPS flow through the HTTP plaintext.
Optionally, the parsing module is specifically configured to:
and resolving the SSL handshake message through an SSL resolver to obtain SSL decryptor generated data, wherein the SSL decryptor generated data comprises: at least one of tag data, algorithm data, encrypted data, protocol version data, client random number, server random number, premaster secret key, session data, and certificate data;
generating data by an SSL decryptor to generate the SSL decryptor;
and decrypting the flow data message through the SSL decryptor to obtain the HTTP plaintext.
Optionally, the parsing module is specifically configured to:
filling the flow data message into a record board to obtain a data message record board;
and decrypting the data in the data message record board by calling an upper interface of the SSL decryptor to obtain the HTTP plaintext.
Optionally, the parsing module is specifically configured to:
transmitting a flow data message to a preset QAT accelerator card, wherein the QAT accelerator card is used for decrypting the flow data message;
and receiving the HTTP plaintext sent by the QAT accelerator card.
Optionally, the parsing module is specifically configured to:
when the current scene is determined to be a session multiplexing scene, detecting whether an SSL session exists in a cache;
when the SSL session exists in the cache, generating an SSL decryptor through a master key and a key set stored in the cache in a history mode;
And resolving the flow data message through the SSL decryptor to obtain the HTTP plaintext.
Optionally, the apparatus further includes:
the generation module is used for carrying out security detection on the HTTPS flow through the HTTP plaintext, and then carrying out analysis on the new flow data message through the SSL analyzer again when receiving a new encrypted SSL handshake message sent by the client so as to obtain new SSL decryptor generated data;
generating data by the new SSL decryptor to generate another SSL decryptor;
and decrypting the new flow data message through another SSL decryptor to obtain another HTTP plaintext.
Optionally, the parsing module is specifically configured to:
analyzing a premaster secret key of the flow data message through a preset certificate and a private key to obtain a master secret key of the flow data message;
and analyzing the stream data message through the master key to obtain the HTTP plaintext.
Optionally, the detection module is specifically configured to:
analyzing the HTTP clear text through an HTTP analyzer to obtain request data of the simulation client and response data of the simulation server;
security detection is performed on the request data and the response data.
Optionally, the apparatus further includes:
the second analyzing module is used for analyzing the mirror image flow through the HTTP analyzer to obtain second request data of the simulation client and second response data of the simulation server when the flow type of the mirror image flow sent by the data plane is determined to be the HTTP flow after the determining module determines whether the flow type of the mirror image flow sent by the data plane is the HTTPS flow;
And sending the second request data and the second response data to a detection server, wherein the detection server is used for carrying out security detection on the second request data and the second response data.
In a third aspect, embodiments of the present application provide an electronic device comprising a processor and a memory storing computer readable instructions that, when executed by the processor, perform the steps of the method as provided in the first aspect above.
In a fourth aspect, embodiments of the present application provide a readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method as provided in the first aspect above.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the embodiments of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims thereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flowchart of a detection method for bypass monitoring HTTPS according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an SSL parser according to an embodiment of the present application;
fig. 3 is a schematic diagram of a method for resolving a data packet by using an SSL resolving state machine according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus for detecting HTTPS traffic by bypass monitoring according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a device for detecting HTTPS traffic through QAT accelerator card bypass monitoring according to an embodiment of the present application;
FIG. 6 is a schematic block diagram of a detection apparatus for bypass monitoring HTTPS according to an embodiment of the present application;
fig. 7 is a schematic block diagram of a detection device for bypass monitoring HTTPS according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. The components of the embodiments of the present application, as generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance.
Some of the terms referred to in the embodiments of the present application will be described first to facilitate understanding by those skilled in the art.
HTTPS: (full name: hypertext Transfer Protocol Secure), is the HTTP channel with security as the target, and the security of the transmission process is ensured by transmission encryption and identity authentication on the basis of HTTP. HTTPS adds SSL on an HTTP basis, and the security basis of HTTPS is SSL, so the details of encryption require SSL. HTTPS has a default port other than HTTP and an encryption/authentication layer (between HTTP and TCP).
SSL: (Secure Sockets Layer secure sockets layer), and its successor transport layer security (Transport Layer Security, TLS) are one security protocol that provides security and data integrity for network communications.
TLS: the secure transport layer protocol (TLS) is used to provide confidentiality and data integrity between two communicating applications. The protocol consists of two layers: TLS recording protocol (TLS Record) and TLS Handshake protocol (TLS handle). The lower layer is the TLS recording protocol, which is located above a certain reliable transport protocol (e.g. TCP) and is application specific, so TLS protocols are generally classified as transport layer security protocols.
HTTP: the hypertext transfer protocol (Hyper Text Transfer Protocol, HTTP) is a simple request-response protocol that typically runs on top of TCP. It specifies what messages the client might send to the server and what responses it gets.
RSA: a public key cryptosystem is a cryptosystem that uses different encryption keys and decryption keys, and "deriving a decryption key from a known encryption key is computationally infeasible".
DH: (Diffie-Hellman) key exchange protocol/algorithm.
OpenSSL: is a software library package of open source code that an application can use to communicate securely, avoiding eavesdropping, while confirming the identity of the other end connector. This package is widely used on web servers of the internet.
Nginx (enginex) is a high-performance HTTP and reverse proxy web server, and also provides IMAP/POP3/SMTP services.
The message comprises the following steps: (message) is a data unit exchanged and transmitted in the network, i.e. a data block to be transmitted at one time by a station. The message contains the complete data information to be sent, and the length of the message is not consistent, and the length of the message is unlimited and variable.
The Web: (World Wide Web), also known as the World Wide area network, is a global, dynamically interactive, cross-platform, distributed graphical information system based on hypertext and HTTP. The network service is established on the Internet, a graphical and easily-accessible visual interface is provided for a browser to search and browse information on the Internet, and documents and hyperlinks organize information nodes on the Internet into a mutually-associated network structure.
DPDK: the data plane development suite (DPDK, data Plane Development Kit) is developed by companies such as 6wind, intel and the like, is mainly operated based on a Linux system, is used for fast data packet processing, is used for a function library and a driving set, and can greatly improve data processing performance and throughput and improve the working efficiency of a data plane application program.
id (Identity document), which is an abbreviation for various proprietary words such as identification number, account number, unique code, proprietary number, industrial design, national abbreviation, legal word, general account, decoder, software company, etc.
State machine: the control center is composed of a state register and a combinational logic circuit, can perform state transition according to a preset state according to a control signal, and is a control center for coordinating related signal actions and completing specific operations.
Plaintext: refers to a character (or character string) without encryption, and the meaning of the character (or character string) can be understood by common people, and belongs to the cryptography term. In a communication system it may be a bit stream such as text, a bit map, digitized speech or digitized video images, etc.
Transmission control protocol: (TCP, transmission Control Protocol) is a connection-oriented, reliable, byte-stream-based transport layer communication protocol, defined by IETF RFC 793.
The method and the device are applied to the scene of bypass monitoring HTTPS safety, and the specific scene is detection of HTTPS flow through an SSL analyzer, so that bypass safety monitoring is realized.
However, at present, when simulating a client and a server, an original message is usually sent to a detection server for analysis, and a random number in a message returned to the simulation client and the simulation server by the detection server is necessarily different from the original message. Therefore, the detection server cannot be successfully and safely docked with the simulation client and the simulation server, and cannot support the flow detection of the hypertext transfer security protocol.
For this purpose, the present application determines whether the traffic type of the mirror traffic sent by the data plane is HTTPS traffic; when the flow type of the mirror image flow sent by the data plane is determined to be HTTPS flow, resolving the flow data message of the mirror image flow through an SSL resolver to obtain an HTTP plaintext corresponding to the flow data message; and carrying out safety detection on the HTTPS traffic through the HTTP plaintext. The HTTPS flow in the uploaded mirror image flow is analyzed through the SSL analyzer to obtain an HTTP plaintext, and then the safety detection of the HTTPS flow can be indirectly realized through the safety detection of the HTTP plaintext, and the effect of accurately detecting the flow of the hypertext transfer safety protocol can be achieved through the method.
In the embodiment of the present application, the execution body may be a bypass monitoring device in the bypass monitoring detection system, and in practical application, the bypass monitoring device may be electronic devices such as a terminal device and a server, which is not limited herein.
The detection method of bypass monitoring HTTPS according to the embodiment of the present application is described in detail below with reference to fig. 1.
Referring to fig. 1, fig. 1 is a flowchart of a method for detecting bypass monitoring HTTPS according to an embodiment of the present application, where the method for detecting bypass monitoring HTTPS shown in fig. 1 includes:
step 110: it is determined whether the traffic type of the mirrored traffic sent by the data plane is HTTPS traffic.
The Data Plane (DPDK) may be a data plane of a router, and may collect image traffic from other links, for example, when a user terminal accesses a server, the image traffic may be collected from the access link. The mirrored traffic may be replicated data of the access data. Traffic types include HTTPS traffic and HTTP traffic.
In some embodiments of the present application, after determining whether the traffic type of the mirrored traffic sent by the data plane is HTTPS traffic, the method shown in fig. 1 further includes: when the flow type of the mirror image flow sent by the data plane is determined to be HTTP flow, resolving the mirror image flow through an HTTP resolver to obtain second request data of the simulation client and second response data of the simulation server; and sending the second request data and the second response data to a detection server, wherein the detection server is used for carrying out security detection on the second request data and the second response data.
In the above process, when the data sent by the data plane is detected to be HTTP traffic, the HTTP traffic can be directly analyzed by the HTTP analyzer, and then the analyzed request and response are accurately and safely detected by the detection server.
The HTTP analyzer may be configured to analyze the HTTP traffic to obtain a request and a response for accessing data in the mirrored traffic. When the request data is obtained through analysis, the request data can be sent to a detection server (nginx) after the connection between the simulation client and the TCP is established, when the response data is obtained through analysis, the request data can be sent to the detection data through the simulation server, the detection server is used for safety detection of the response data and the request data, when the response data and the request data are obtained through analysis, the connection between the simulation client and the detection server is established, the connection between the simulation server and the detection server is established, the detection data is sent to the detection server through the simulation client, the detection server carries out safety detection on the request data and forwards the request data to the simulation server, and safety detection is carried out on the response data in the detection queue.
Step 120: when the traffic type of the mirror traffic sent by the data plane is determined to be HTTPS traffic, the SSL parser parses the traffic data message of the mirror traffic to obtain an HTTP plaintext corresponding to the traffic data message.
The SSL parser parses the flow data message of the mirror flow, so that ciphertext in the flow data message can be parsed into HTTP plaintext. The SSL parser includes one or more SSL decryptors including a data structure of decryption states, templates for recording traffic data messages, and a buffer for storing HTTP plaintext. The traffic data message may be an access data message generated when the client accesses the server, and may be handshake data generated when establishing contact between the server and the client. The data flow message is obtained by recording the message format of the SSL/TLS layer in the recording protocol.
The SSL parser is described in detail below based on a schematic structure of the SSL parser shown in fig. 2.
Referring to fig. 2, fig. 2 is a schematic structural diagram of an SSL parser according to an embodiment of the present application, where a data structure of the SSL parser shown in fig. 2 includes:
data of SSL parser context, data of SSL handshake context, and data of SSL decryptor.
The data of the SSL parser context includes: status data of the SSL parser, SSL handshake context data, c2s ciphertext message queue, s2c ciphertext message queue, c2s handshake message queue, s2c handshake message queue, c2s decryptor, and s2c decryptor.
The data of the SSL handshake context includes: expansion tags, compression algorithms, encryption suites, protocol versions, client random numbers, server random numbers, premaster secret keys, session ids, session ticket (tags), and certificates.
The SSL decryptor includes: SSL data structure, recording board (SSL 3 RECORD) and buffer.
Wherein, the state of the SSL parser includes: an initial state, a waiting state, a ready state, a renegotiation state, and a negotiation ending state. The SSL context data may be used to generate SSL decryptors, where the SSL decryptor data includes c2s decryptor and s2c decryptor data, c2s decryptor may decrypt messages in the c2s ciphertext message queue and the c2s handshake message queue, and s2c decryptor may decrypt data in the c2s ciphertext message queue and the c2s handshake message queue. The SSL decryptor comprises a data structure storing the decryption status, a record board for storing the message to be decrypted by a user and a buffer for storing the plaintext resulting from decrypting the message, e.g. a 20k size buffer.
In addition, the structure and function of the specific SSL parser shown in fig. 2 refer to the method shown in fig. 1, and are not repeated here.
The method for processing the data message in different states of the SSL parser is described in detail below with reference to fig. 3.
Referring to fig. 3, fig. 3 is a schematic diagram of a method for resolving a data packet by using an SSL resolving state machine according to an embodiment of the present application, where the method shown in fig. 3 includes:
initializing the context of the SSL parser in an initial state (INIT); receiving an initialized handshake message (handshake message) in a waiting state (PENDING), placing handshake messages (finished messages) in two directions of c2s/s2c for decryption by a c2s decryptor and/or a s2c decryptor in a handshake message queue, and transferring the handshake messages to a ready state (VALID), and transferring other messages (alert messages) or abnormal messages to a negotiation ending state (FIN); decrypting the received handshake messages in the two directions of c2s/s2c by using an SSL decryptor in a ready state, and transferring to a RENEGOTIATE state (RENEGOTIATE), wherein the obtained HTTP plaintext can be processed by an HTTP parser, and other messages (alert messages) or abnormal messages are transferred to a negotiation ending state; the RENEGOTIATE state (RENEGOTIATE) can directly decrypt the received handshake message (handle message) through the SSL decryptor, migrate the state to the ready state, and the obtained HTTP plaintext can be processed by the HTTP parser, meanwhile, the handshake messages in the two directions of c2s/s2c are returned to the SSL decryptor in the accurate ready state again to decrypt, and the obtained HTTP plaintext can be processed by the HTTP parser, and in addition, other messages (alert messages, error messages) or abnormal messages can be migrated to the negotiation ending state.
In addition, the function and structure of the state machine shown in fig. 3 can be understood in detail by the methods and structures shown in fig. 1 and 2, and will not be described in detail herein.
In some embodiments of the present application, resolving, by an SSL parser, a traffic data packet of a mirrored traffic to obtain an HTTP plaintext corresponding to the traffic data packet, including: and resolving the SSL handshake message through an SSL resolver to obtain SSL decryptor generated data, wherein the SSL decryptor generated data comprises: at least one of tag data, algorithm data, encrypted data, protocol version data, client random number, server random number, premaster secret key, session data, and certificate data; generating data by an SSL decryptor to generate the SSL decryptor; and decrypting the flow data message through the SSL decryptor to obtain the HTTP plaintext.
In the process, the SSL decryptor generated data obtained by analyzing the flow data message through the SSL analyzer can generate the SSL decryptor, so that the decryption of the flow data message is completed, and an accurate HTTP plaintext is obtained.
The marking data can be marking data and extended marking data, the algorithm data can be compression algorithm for decrypting data by some users, the encrypted data can be some encryption suite used for encrypting the streaming data, the protocol version data can be a version of a secure transmission protocol, and the client random number and the server random number can be keys used for encryption and decryption. The premaster secret key may be data generated by the client for calculating the master secret key, the session data includes an ID of the session, a number, an interface of the session, and the certificate may be a preset certificate. The method of exchanging keys when establishing contact between the client and the server may be RSA or DH.
In some embodiments of the present application, decrypting, by an SSL decryptor, the traffic data message to obtain HTTP plaintext includes: filling the flow data message into a record board to obtain a data message record board; and decrypting the data in the data message record board by calling an upper interface of the SSL decryptor to obtain the HTTP plaintext.
In the process, the data in the flow data message is recorded through the format on the recording board, and the flow data message can be accurately decrypted through the SSL decryptor in an interface calling mode.
Wherein, the SSL decryptor can be called through an upper layer interface (OpenSSL) to realize decrypting the data in the record board.
In some embodiments of the present application, resolving, by an SSL parser, a traffic data packet of traffic data to obtain an HTTP plaintext corresponding to the traffic data packet, including: transmitting a flow data message to a preset QAT accelerator card, wherein the QAT accelerator card is used for decrypting the flow data message; and receiving the HTTP plaintext sent by the QAT accelerator card.
In the process, the decryption of the streaming data message can be realized by calling the preset hardware equipment, so that the consumption of resources on software is reduced, and the decryption efficiency is improved.
The QAT (QuickAssist) accelerator card can obtain the ciphertext obtained by the analysis of the SSL analyzer through the QAT engine, and sends the ciphertext to the QAT accelerator card through the QAT driver, and the QAT accelerator card is a hardware device and can directly and quickly decrypt the ciphertext to obtain a corresponding HTTP plaintext and return the corresponding HTTP plaintext to the SSL analyzer through the QAT driver and the QAT engine.
In some embodiments of the present application, resolving, by an SSL parser, a traffic data packet of a mirrored traffic to obtain an HTTP plaintext corresponding to the traffic data packet, including: when the current scene is determined to be a session multiplexing scene, detecting whether an SSL session exists in a cache; when the SSL session exists in the cache, generating an SSL decryptor through a master key and a key set stored in the cache in a history mode; and resolving the flow data message through the SSL decryptor to obtain the HTTP plaintext.
In the process, when the SSL session data exists, the current session can be determined to be one or more of the historical sessions, the SSL decryptor can be directly generated according to the data stored in the cache to decrypt the flow data message, the time for generating the SSL decryptor is reduced, and the safety detection efficiency of the flow data message is further improved.
When the client side sends a ClientHello message carrying a session id and the server side replies ServerHello message carrying the same session id, the current scene can be determined to be a session multiplexing scene. When the client and the server establish that the SSL session exists, the session id in the handshake message is not null, that is, a history user session exists, or an extension field exists in the handshake message, and the SSL parser can be directly generated according to the negotiated master key suite and master key encryption channel in the session acquisition cache.
In some embodiments of the present application, resolving, by an SSL parser, a traffic data packet of traffic data to obtain an HTTP plaintext corresponding to the traffic data packet, including: analyzing a premaster secret key of the flow data message through a preset certificate and a private key to obtain a master secret key of the flow data message; and analyzing the stream data message through the master key to obtain the HTTP plaintext.
In the process, the master key obtained by analyzing the premaster secret key through the preset certificate and the private key can quickly realize decryption of the streaming data message.
Step 130: and carrying out safety detection on the HTTPS traffic through the HTTP plaintext.
The security detection of the HTTPs traffic through the HTTP plaintext includes: and through detecting the HTTP plaintext, the safety detection of the HTTPS flow is realized.
In some embodiments of the present application, security detection of HTTPs traffic through HTTP plaintext includes: analyzing the HTTP clear text through an HTTP analyzer to obtain request data of the simulation client and response data of the simulation server; security detection is performed on the request data and the response data.
In the process, the request data and the response data obtained through the analysis of the HTTP analyzer can be safely detected through the detection server, and therefore the safety detection of the HTTPS flow is achieved.
Wherein the request data comprises data such as an address, time, access requirement and the like of the access. The response data includes accessed result response data.
In some embodiments of the present application, after the security detection of HTTPs traffic by HTTP plaintext, the method illustrated in fig. 1 further includes: when a new encrypted SSL handshake message sent by a client is received, resolving the new SSL handshake message through an SSL resolver again to obtain new SSL decryptor generated data; generating data by the new SSL decryptor to generate another SSL decryptor; and decrypting the new flow data message through another SSL decryptor to obtain another HTTP plaintext.
In the process, when the new flow data message sent by the client is acquired, the new flow data message can be analyzed again, and a new SSL decryptor is generated through the obtained generated data, so that the accurate decryption of the new flow data message can be realized.
In the process shown in fig. 1, the present application determines whether the traffic type of the mirror traffic sent by the data plane is HTTPS traffic; when the flow type of the mirror image flow sent by the data plane is determined to be HTTPS flow, resolving the flow data message of the mirror image flow through an SSL resolver to obtain an HTTP plaintext corresponding to the flow data message; and carrying out safety detection on the HTTPS traffic through the HTTP plaintext. The HTTPS flow in the uploaded mirror image flow is analyzed through the SSL analyzer to obtain an HTTP plaintext, and then the safety detection of the HTTPS flow can be indirectly realized through the safety detection of the HTTP plaintext, and the effect of accurately detecting the flow of the hypertext transfer safety protocol can be achieved through the method.
A detailed method of bypass detection of HTTPS traffic is described below in conjunction with fig. 4.
Referring to fig. 4, fig. 4 is a schematic structural diagram of an apparatus for detecting HTTPS traffic by bypass monitoring according to an embodiment of the present application, where the apparatus shown in fig. 4 includes:
A data plane, a bypass process, and a control plane.
The bypass process includes: SSL parser, HTTP parser, simulation client and simulation server.
The control plane includes: bypass processes and detection servers (nginx service).
When HTTPS flow detection is carried out through the device, the data plane receives mirror image flow during handshake, and sends flow data messages of the mirror image flow to a bypass process in the control plane, the bypass process preferentially judges whether the flow type of the flow data messages is HTTPS flow or HTTP flow, when the flow type of the flow data messages is HTTPS flow, the HTTP text can be obtained through analysis by the SSL analyzer, the HTTP text is analyzed by the HTTP analyzer, when the flow data messages are HTTP flow, the HTTP text is directly analyzed by the HTTP analyzer, and then a request and a response obtained through analysis by the HTTP analyzer can be sent to the detection server through the simulation client and the simulation server respectively for safety detection.
In addition, the specific method and steps shown in fig. 4 may refer to the method shown in fig. 1, and are not described in detail herein.
The method of detecting HTTPS traffic by the bypass detection device with QAT accelerator card is described in detail below with respect to fig. 5.
Referring to fig. 5, fig. 5 is a schematic structural diagram of an apparatus for detecting HTTPS traffic through QAT accelerator card bypass monitoring according to an embodiment of the present application, where the apparatus shown in fig. 5 includes:
QAT accelerator card, data plane, bypass process and control plane.
The bypass process includes: SSL parser, HTTP parser, simulation client and simulation server.
The control plane includes: a QAT engine, a QAT driver, a bypass process, and a detection server (nginx service).
When HTTPS flow detection is carried out through the device, the data plane receives mirror image flow during handshake and sends flow data messages of the mirror image flow to a bypass process in the control plane, the bypass process preferentially judges whether the flow type of the flow data messages is HTTPS flow or HTTP flow, when the flow type of the flow data messages is HTTPS flow, the flow data ciphertext can be sent to a QAT accelerator card through a QAT engine and a QAT drive to be analyzed through the SSL analyzer, HTTP plaintext can be obtained and then returned to the SSL analyzer through the QAT drive and the QAT engine, the HTTP plaintext is sent to the HTTP analyzer to be analyzed through the HTTP analyzer, when the flow data messages are HTTP flow, the HTTP analyzer directly analyzes the HTTP plaintext, and then a request and a response obtained through analysis of the HTTP analyzer can be sent to a detection server through an analog client and an analog server to be detected safely.
In addition, the specific method and steps shown in fig. 5 may refer to the method shown in fig. 1, and are not described in detail herein.
The foregoing describes the detection method and apparatus of bypass-monitoring HTTPS by fig. 1-5, and the detection apparatus of bypass-monitoring HTTPS is described below with reference to fig. 6-7.
Referring to fig. 6, a schematic block diagram of an apparatus 600 for detecting HTTPS by-pass monitoring is provided in an embodiment of the present application, where the apparatus 600 may be a module, a program segment, or a code on an electronic device. The apparatus 600 corresponds to the above-described embodiment of the method of fig. 1, and is capable of performing the steps involved in the embodiment of the method of fig. 1, and specific functions of the apparatus 600 may be referred to as the following description, and detailed descriptions thereof are omitted herein as appropriate to avoid redundancy.
Optionally, the apparatus 600 includes:
a determining module 610, configured to determine whether a traffic type of the mirrored traffic sent by the data plane is HTTPS traffic;
the parsing module 620 is configured to parse, by using an SSL parser, a flow data packet of the mirror flow when it is determined that the flow type of the mirror flow sent by the data plane is HTTPS flow, so as to obtain an HTTP plaintext corresponding to the flow data packet;
the detection module 630 is configured to perform security detection on HTTPs traffic through HTTP plaintext.
Optionally, the parsing module is specifically configured to:
analyzing the streaming data message through an SSL analyzer to obtain SSL decryptor generated data, wherein the SSL decryptor generated data comprises: at least one of tag data, algorithm data, encrypted data, protocol version data, client random number, server random number, premaster secret key, session data, and certificate data; generating data by an SSL decryptor to generate the SSL decryptor; and decrypting the flow data message through the SSL decryptor to obtain the HTTP plaintext.
Optionally, the parsing module is specifically configured to:
filling the flow data message into a record board to obtain a data message record board; and decrypting the data in the data message record board by calling an upper interface of the SSL decryptor to obtain the HTTP plaintext.
Optionally, the parsing module is specifically configured to:
transmitting a flow data message to a preset QAT accelerator card, wherein the QAT accelerator card is used for decrypting the flow data message; and receiving the HTTP plaintext sent by the QAT accelerator card.
Optionally, the parsing module is specifically configured to:
when the current scene is determined to be a session multiplexing scene, detecting whether an SSL session exists in a cache; when the SSL session exists in the cache, generating an SSL decryptor through a master key and a key set stored in the cache in a history mode; and resolving the flow data message through the SSL decryptor to obtain the HTTP plaintext.
Optionally, the apparatus further includes:
the generation module is used for carrying out security detection on the HTTPS flow through the HTTP plaintext, and then carrying out analysis on the new flow data message through the SSL analyzer again when receiving a new encrypted SSL handshake message sent by the client so as to obtain new SSL decryptor generated data; generating data by the new SSL decryptor to generate another SSL decryptor; and decrypting the new flow data message through another SSL decryptor to obtain another HTTP plaintext.
Optionally, the parsing module is specifically configured to:
analyzing a premaster secret key of the flow data message through a preset certificate and a private key to obtain a master secret key of the flow data message; and analyzing the stream data message through the master key to obtain the HTTP plaintext.
Optionally, the detection module is specifically configured to:
analyzing the HTTP clear text through an HTTP analyzer to obtain request data of the simulation client and response data of the simulation server; security detection is performed on the request data and the response data.
Optionally, the apparatus further includes:
the second analyzing module is used for analyzing the mirror image flow through the HTTP analyzer to obtain second request data of the simulation client and second response data of the simulation server when the flow type of the mirror image flow sent by the data plane is determined to be the HTTP flow after the determining module determines whether the flow type of the mirror image flow sent by the data plane is the HTTPS flow; and sending the second request data and the second response data to a detection server, wherein the detection server is used for carrying out security detection on the second request data and the second response data.
Referring to fig. 7, a schematic block diagram of a detection apparatus for bypass monitoring HTTPS according to an embodiment of the present application may include a memory 710 and a processor 720. Optionally, the apparatus may further include: a communication interface 730, and a communication bus 740. The apparatus corresponds to the embodiment of the method of fig. 1 described above, and is capable of performing the steps involved in the embodiment of the method of fig. 1, and specific functions of the apparatus may be found in the following description.
In particular, the memory 710 is used to store computer readable instructions.
Processor 720, which processes the memory-stored readable instructions, is capable of performing the various steps in the method of fig. 1.
Communication interface 730 for communicating signaling or data with other node devices. For example: for communication with a server or terminal, or with other device nodes, the embodiments of the application are not limited in this regard.
A communication bus 740 for implementing direct connection communication of the above-described components.
The communication interface 730 of the device in the embodiment of the present application is used to perform signaling or data communication with other node devices. The memory 710 may be a high-speed RAM memory or a non-volatile memory, such as at least one disk memory. Memory 710 may optionally also be at least one storage device located remotely from the aforementioned processor. The memory 710 has stored therein computer readable instructions which, when executed by the processor 720, perform the method process described above in fig. 1. Processor 720 may be used on apparatus 600 and to perform the functions herein. By way of example, the processor 720 may be a general purpose processor, a digital signal processor (Digital Signal Processor, DSP), an application specific integrated circuit (Application Specific Integrated Circuit, ASIC), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, and the embodiments are not limited in this regard.
Embodiments of the present application also provide a readable storage medium, which when executed by a processor, performs a method process performed by an electronic device in the method embodiment shown in fig. 1.
It will be clear to those skilled in the art that, for convenience and brevity of description, reference may be made to the corresponding procedure in the foregoing method for the specific working procedure of the apparatus described above, and this will not be repeated here.
In summary, the embodiment of the application provides a method and a device for detecting bypass monitoring HTTPS, where the method includes determining whether a traffic type of a mirror traffic sent by a data plane is HTTPS traffic; when the flow type of the mirror image flow sent by the data plane is determined to be HTTPS flow, resolving the flow data message of the mirror image flow through an SSL resolver to obtain an HTTP plaintext corresponding to the flow data message; and carrying out safety detection on the HTTPS traffic through the HTTP plaintext. The method can achieve the effect of accurately detecting the flow of the hypertext transfer security protocol.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners as well. The apparatus embodiments described above are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Claims (10)

1. A method for detecting bypass monitoring HTTPS, comprising:
determining whether the traffic type of the mirror image traffic sent by the data plane is HTTPS traffic;
when the flow type of the mirror image flow sent by the data plane is determined to be HTTPS flow, resolving the flow data message of the mirror image flow through an SSL resolver to obtain an HTTP plaintext corresponding to the flow data message;
and carrying out security detection on the HTTPS flow through the HTTP plaintext.
2. The method of claim 1, wherein the parsing, by the SSL parser, the traffic data message of the mirror traffic to obtain HTTP plaintext corresponding to the traffic data message, includes:
and resolving the SSL handshake message through the SSL resolver to obtain SSL decryptor generated data, wherein the SSL decryptor generated data comprises: at least one of tag data, algorithm data, encrypted data, protocol version data, client random number, server random number, premaster secret key, session data, and certificate data;
generating data by the SSL decryptor, generating an SSL decryptor;
and decrypting the flow data message through the SSL decryptor to obtain the HTTP plaintext.
3. The method of claim 2, wherein decrypting the traffic data message by the SSL decryptor results in the HTTP plaintext, comprising:
filling the flow data message into a record board to obtain a data message record board;
and decrypting the data in the data message record board by calling an upper interface of the SSL decryptor to obtain the HTTP plaintext.
4. The method of claim 1, wherein the parsing, by the SSL parser, the traffic data message of the traffic data to obtain the HTTP plaintext corresponding to the traffic data message, includes:
the traffic data message is sent to a preset QAT accelerator card, wherein the QAT accelerator card is used for decrypting the traffic data message;
and receiving the HTTP plaintext sent by the QAT accelerator card.
5. The method according to any one of claims 1-4, wherein the parsing, by an SSL parser, the traffic data message of the mirrored traffic to obtain HTTP plaintext corresponding to the traffic data message includes:
when the current scene is determined to be a session multiplexing scene, detecting whether an SSL session exists in a cache;
When the SSL session is detected to exist in the cache, generating an SSL decryptor through a master key and a key set stored in the cache in a history way;
and analyzing the flow data message through the SSL decryptor to obtain the HTTP plaintext.
6. The method of any of claims 1-4, wherein after the security detection of the HTTPs traffic by the HTTP plaintext, the method further comprises:
when receiving a new encrypted SSL handshake message sent by a client, resolving the new flow data message through the SSL resolver again to obtain new SSL decryptor generated data;
generating data by the new SSL decryptor to generate another SSL decryptor;
and decrypting the new flow data message through the other SSL decryptor to obtain another HTTP plaintext.
7. The method according to any one of claims 1-4, wherein the parsing, by an SSL parser, the traffic data message of the traffic data to obtain an HTTP plaintext corresponding to the traffic data message includes:
analyzing a premaster secret key of the flow data message through a preset certificate and a private key to obtain a master secret key of the flow data message;
And analyzing the flow data message through the master key to obtain the HTTP plaintext.
8. The method according to any one of claims 1-4, wherein said security detecting said HTTPs traffic through said HTTP plaintext, comprises:
analyzing the HTTP plaintext through an HTTP analyzer to obtain request data of a simulation client and response data of a simulation server;
and carrying out security detection on the request data and the response data.
9. The method according to any of claims 1-4, wherein after said determining whether the traffic type of the mirrored traffic sent by the data plane is HTTPS traffic, the method further comprises:
when the flow type of the mirror image flow sent by the data plane is determined to be HTTP flow, resolving the mirror image flow through an HTTP resolver to obtain second request data of the simulation client and second response data of the simulation server;
and sending the second request data and the second response data to a detection server, wherein the detection server is used for carrying out security detection on the second request data and the second response data.
10. A detection apparatus for bypass monitoring HTTPS, comprising:
the determining module is used for determining whether the traffic type of the mirror image traffic sent by the data plane is HTTPS traffic;
the analysis module is used for analyzing the flow data message of the mirror image flow through the SSL analyzer when the flow type of the mirror image flow sent by the data plane is determined to be HTTPS flow, so as to obtain an HTTP plaintext corresponding to the flow data message;
and the detection module is used for carrying out safety detection on the HTTPS flow through the HTTP plaintext.
CN202310113327.9A 2023-02-14 2023-02-14 Detection method and device for bypass monitoring HTTPS Pending CN116055475A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310113327.9A CN116055475A (en) 2023-02-14 2023-02-14 Detection method and device for bypass monitoring HTTPS

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310113327.9A CN116055475A (en) 2023-02-14 2023-02-14 Detection method and device for bypass monitoring HTTPS

Publications (1)

Publication Number Publication Date
CN116055475A true CN116055475A (en) 2023-05-02

Family

ID=86131374

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310113327.9A Pending CN116055475A (en) 2023-02-14 2023-02-14 Detection method and device for bypass monitoring HTTPS

Country Status (1)

Country Link
CN (1) CN116055475A (en)

Similar Documents

Publication Publication Date Title
US10785261B2 (en) Techniques for secure session reestablishment
CN111628976B (en) Message processing method, device, equipment and medium
US10069800B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
CA2849911C (en) Implementation of secure communications in a support system
US20100191954A1 (en) Method and apparatus for transmitting message in heterogeneous federated environment, and method and apparatus for providing service using the message
WO2019178942A1 (en) Method and system for performing ssl handshake
CN106357690B (en) data transmission method, data sending device and data receiving device
US20070192845A1 (en) System and method for passively detecting a proxy
US10055591B1 (en) Secure protocol attack mitigation
CN108156178A (en) A kind of SSL/TLS data monitoring systems and method
US9961055B1 (en) Inaccessibility of data to server involved in secure communication
CN107124385B (en) Mirror flow-based SSL/TLS protocol plaintext data acquisition method
US8010787B2 (en) Communication device, communication log transmitting method suitable for communication device, and communication system
CN110581847A (en) Input foreknowledge system
CN107431691A (en) A kind of data pack transmission method, device, node device and system
CN114679314B (en) Data decryption method, device, equipment and storage medium
CN116055475A (en) Detection method and device for bypass monitoring HTTPS
CN110351086A (en) Encryption information processing and transmission method and system in a kind of group, robot
CN114679260B (en) Bypass audit compatible extension master key encryption data method, system and terminal
CN114915503A (en) Data stream splitting processing encryption method based on security chip and security chip device
CN113992734A (en) Session connection method, device and equipment
JP2003244194A (en) Data encrypting apparatus, encryption communication processing method, and data relaying apparatus
CN114139192A (en) Encrypted traffic processing method, encrypted traffic processing apparatus, electronic device, medium, and program
CN116032545B (en) Multi-stage filtering method and system for ssl or tls flow
CN117319088B (en) Method, device, equipment and medium for blocking illegal external connection equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination